Commit Graph

19450 Commits

Author SHA1 Message Date
pennae
55863f14ce nixos/couchdb: add missing defaultText 2021-12-29 20:12:02 +01:00
pennae
7e28421e17 nixos/kubernetes: make lib option internal and readonly
this set almost certainly shouldn't be touched by users, nor listed in
the manual. make it internal and use it only through the option path to
make clear that this should not be modified.
2021-12-29 20:12:02 +01:00
pennae
abef4b10b6 nixos/kubernetes: add missing defaultText to expression default 2021-12-29 19:57:55 +01:00
Yureka
407d75ae11 nixos/mautrix-telegram: run alembic only if available 2021-12-29 19:28:24 +01:00
tomberek
94cb489156
Merge pull request #133984 from ju1m/sourcehut
nixos/sourcehut: updates, fixes, hardening
2021-12-28 22:29:36 -05:00
Julien Moutinho
42da4f78d8 nixos/sourcehut: add more tests 2021-12-28 22:18:45 -05:00
Julien Moutinho
e1549f5df9 nixos/sourcehut: fix links to gitsrht-update-hook 2021-12-28 22:18:44 -05:00
Julien Moutinho
ac2a39ac75 nixos/sourcehut: fix post-update-script 2021-12-28 22:18:44 -05:00
Julien Moutinho
96e103cfe3 nixos/sourcehut: fix OnCalendar 2021-12-28 22:18:44 -05:00
Julien Moutinho
8ed7fd0f3a nixos/sourcehut: full rewrite, with fixes and hardening 2021-12-28 22:18:40 -05:00
José Romildo Malaquias
628e9125e9
Merge pull request #152344 from romildo/upd.qt5ct
qt5ct: move to qt5-packages
2021-12-28 07:33:37 -03:00
Martin Weinelt
eb51af35ad
Merge pull request #152311 from arachnist/kea-fixes 2021-12-27 22:01:32 +01:00
Nikolay Amiantov
a3e7a83514
Merge pull request #150774 from abbradar/docker-rootless
Rootless Docker service
2021-12-27 20:32:57 +03:00
Nikolay Amiantov
9027a59f7a influxdb2 service: don't use dynamic user
It breaks something inside of influxdb2, which results in flurry of errors like these:

> ts=2021-12-21T18:19:35.513910Z lvl=info msg="Write failed" log_id=0YZYwvV0000 service=storage-engine service=write shard=50 error="[shard 50] unlinkat ./L1-00000055.tsi: read-only file system"

I believe this is somehow caused by a mount namespace that systemd creates for
the service, but I didn't investigate this deeper.
2021-12-27 20:31:27 +03:00
Michele Guerini Rocco
3a7d97bff2
Merge pull request #139873 from rnhmjoj/dhcpd
nixos/dhcpd: switch to DynamicUser
2021-12-27 18:07:16 +01:00
Martin Weinelt
99e8065d4c
Merge pull request #147784 from m1cr0man/acme 2021-12-27 17:37:39 +01:00
José Romildo
44c1dfb32d qt5ct: move to qt5-packages 2021-12-27 11:03:07 -03:00
Bobby Rong
c2b7c98814
Merge pull request #151678 from kouyk/thinkfan-typo
thinkfan: fix typo in level
2021-12-27 17:35:59 +08:00
Robert Gerus
6faa7ad3fc nixos/kea: fixes for the systemd units
Fix a typo in the kea-dhcp-ddns-server unit definition, and add a
KEA_LOCKFILE_DIR environment variable without which kea daemons try to
access a lockfile under /var/run/kea path, which is prevented by
systemd's ProtectSystem (or one of the other Protect*) mechanism.
kea-dhcp-ddns-server doesn't react to updates from dhcp4 server at all
without it.
2021-12-27 04:41:20 +01:00
Bernardo Meurer
f6d17af6b3
Merge pull request #152289 from lovesegfault/fix-mtp-udev-path
nixos/gvfs: fix libmtp udev package path
2021-12-27 02:27:53 +00:00
Artturi
3239e947d1
Merge pull request #151156 from Artturin/fsckonbat 2021-12-27 04:18:40 +02:00
Bernardo Meurer
2d7fc66c79
nixos/gvfs: fix libmtp udev package path
As pointed out by @sigprof[1] my bump of libmtp silently broke this, as I
moved the udev files out of the bin output of the pkg.

[1]: https://github.com/NixOS/nixpkgs/pull/144290#discussion_r775266642
2021-12-26 20:05:14 -03:00
Lucas Savva
65f1b8c6ae
nixos/acme: Add test for lego's built-in web server
In the process I also found that the CapabilityBoundingSet
was restricting the service from listening on port 80, and
the AmbientCapabilities was ineffective. Fixed appropriately.
2021-12-26 16:49:59 +00:00
Silvan Mosberger
2dcc3daadf
nixos/acme: Clean up default handling 2021-12-26 16:49:58 +00:00
Lucas Savva
41fb8d71ab
nixos/acme: Add useRoot option 2021-12-26 16:49:57 +00:00
Lucas Savva
8d01b0862d
nixos/acme: Update documentation
- Added defaultText for all inheritable options.
- Add docs on using new defaults option to configure
  DNS validation for all domains.
- Update DNS docs to show using a service to configure
  rfc2136 instead of manual steps.
2021-12-26 16:49:55 +00:00
Lucas Savva
377c6bcefc
nixos/acme: Add defaults and inheritDefaults option
Allows configuring many default settings for certificates,
all of which can still be overridden on a per-cert basis.
Some options have been moved into .defaults from security.acme,
namely email, server, validMinDays and renewInterval. These
changes will not break existing configurations thanks to
mkChangedOptionModule.

With this, it is also now possible to configure DNS-01 with
web servers whose virtualHosts utilise enableACME. The only
requirement is you set `acmeRoot = null` for each vhost.

The test suite has been revamped to cover these additions
and also to generally make it easier to maintain. Test config
for apache and nginx has been fully standardised, and it
is now much easier to add a new web server if it follows
the same configuration patterns as those two. I have also
optimised the use of switch-to-configuration which should
speed up testing.
2021-12-26 16:44:10 +00:00
Lucas Savva
a7f0001328
nixos/acme: Check for revoked certificates
Closes #129838

It is possible for the CA to revoke a cert that has not yet
expired. We must run lego to validate this before expiration,
but we must still ignore failures on unexpired certs to retain
compatibility with #85794

Also changed domainHash logic such that a renewal will only
be attempted at all if domains are unchanged, and do a full
run otherwises. Resolves #147540 but will be partially
reverted when go-acme/lego#1532 is resolved + available.
2021-12-26 16:44:09 +00:00
Lucas Savva
87403a0b07
nixos/acme: Add a human readable error on run failure
Closes NixOS/nixpkgs#108237

When a user first adds an ACME cert to their configuration,
it's likely to fail to renew due to DNS misconfig. This is
non-fatal for other services since selfsigned certs are
(usually) put in place to let dependant services start.
Tell the user about this in the logs, and exit 2 for
differentiation purposes.
2021-12-26 16:44:08 +00:00
Lucas Savva
a88d846b91
nixos/acme: Remove selfsignedDeps from finished targets
selfsignedDeps is already appended to the after and wants
of a cert's renewal service, making these redundant.

You can see this if you run the following command:
systemctl list-dependencies --all --reverse acme-selfsigned-mydomain.com.service
2021-12-26 16:44:07 +00:00
Aaron Andersen
9ec14cd78d
Merge pull request #151255 from aanderse/nixos/mysql-cleanup
nixos/mysql: module cleanup
2021-12-25 17:04:35 -05:00
Aaron Andersen
baa0e61569
Merge pull request #147973 from aanderse/nixos/caddy
nixos/caddy: introduce several new options
2021-12-25 17:01:54 -05:00
Lassulus
028f8c7625
Merge pull request #151482 from jbpratt/kubevirt
virtualisation: implement kubevirt config
2021-12-25 22:05:00 +01:00
Emery Hemingway
02cb654a4d nixos/stubby: reduce to a settings-style configuration
Extract the example configuration from the package to provide a
working example.

Remove pkgs.stubby from `environment.systemPackages`.
2021-12-25 12:07:06 +01:00
7c6f434c
b0f154fd44
Merge pull request #147027 from Izorkin/update-nginx-ktls
nginxMainline: enable ktls support
2021-12-24 10:23:17 +00:00
Maximilian Bosch
3d91acc39a
Merge pull request #151481 from Ma27/privacyidea-uwsgi-buffer-size
nixos/privacyidea: increase buffer-size of uwsgi from 4096 to 8192
2021-12-24 10:21:24 +01:00
Bobby Rong
7378b39d1d
Merge pull request #149704 from squalus/nginx-prometheus-exporter-fix
nixos/prometheus-nginx-exporter: fix argument syntax
2021-12-23 10:27:16 +08:00
Guillaume Girol
d96a3994cc nixos/collectd: validate config file syntax at build time 2021-12-23 00:08:43 +01:00
Aaron Andersen
d621ad09a8 nixos/mysql: minor cleanup and formatting 2021-12-22 08:57:18 -05:00
Aaron Andersen
a96f6ef187 nixos/mysql: remove services.mysql.bind and services.mysql.port in favor of services.mysql.settings 2021-12-22 08:57:14 -05:00
Nikolay Amiantov
ab64310a5e docker-rootless service: init 2021-12-22 14:23:23 +03:00
Florian Klink
60e571fa40
Merge pull request #150922 from ncfavier/systemd-tzdir
nixos/systemd: set TZDIR for PID 1
2021-12-22 11:52:27 +01:00
Steven Kou
73050d70fc
thinkfan: fix typo in level
One of the valid values for the fan speed is "level disengaged",
however, it is represented as "level disengage" and does not match
what thinkfan expects.
2021-12-22 04:00:19 +08:00
jbpratt
e96e5ddd1f virtualisation: implement kubevirt config
KubeVirt[1] allows for VMs to be run and managed as pods inside of
Kubernetes clusters. Information about the guests can be exposed through
qemu-guest-agent[2] as well as startup scripts can be injected through
cloud-init[3].

This config has been duplicated and modified from the `cloudstack`
config/script.

To test this out, deploy KubeVirt locally with KinD[4], build the disk
image, then package it into a container image (or upload to CDI[5]) and
provision a VirtualMachine.

[1]: https://kubevirt.io/user-guide/
[2]: https://kubevirt.io/user-guide/virtual_machines/guest_agent_information/
[3]: https://kubevirt.io/user-guide/virtual_machines/startup_scripts/#cloud-init-examples
[4]: https://kubevirt.io/quickstart_kind/
[5]: https://kubevirt.io/user-guide/operations/containerized_data_importer/#containerized-data-importer

Signed-off-by: jbpratt <jbpratt78@gmail.com>
2021-12-21 05:52:16 -06:00
Aaron Andersen
81a67a3353 nixos/caddy: introduce several new options 2021-12-20 20:00:42 -05:00
Maximilian Bosch
8f9f754271
nixos/privacyidea: increase buffer-size of uwsgi from 4096 to 8192
When accessing the Audit log, I get an HTTP 502 when the frontend
requests `/audit` and I get the following error in my `nginx`-log:

    Dec 20 22:12:48 ldap nginx[336]: 2021/12/20 22:12:48 [error] 336#336: *8421 recv() failed (104: Connection reset by peer) while reading response header from upstream, client: 10.237.0.1, server: _, request: "GET /audit/?action=**&action_detail=**&administrator=**&client=**&date=**&duration=**&info=**&page=1&page_size=10&policies=**&privacyidea_server=**&realm=**&resolver=**&serial=**&sortorder=desc&startdate=**&success=**&tokentype=**&user=** HTTP/1.1", upstream: "uwsgi://unix:/run/privacyidea/socket:", host: "ldap.ist.nicht-so.sexy", referrer: "https://ldap.ist.nicht-so.sexy/"

This is because of an "invalid request block size"-error according to
`journalctl -u privacyidea.service`:

    Dec 20 22:12:48 ldap uwsgi[10721]: invalid request block size: 4245 (max 4096)...skip

Increasing the buffer to 8192 fixes the problem for me.
2021-12-21 00:51:45 +01:00
Graham Christensen
3907d19260 services.prometheus.exporters.fastly: add a smoke test 2021-12-20 10:57:31 -05:00
Graham Christensen
1753f97e13 services.prometheus.exporters.fastly: fixup broken module config 2021-12-20 10:29:13 -05:00
Franz Pletz
d5b0e12d9b
Merge pull request #147516 from pennae/dhcpcd
dhcpcd: 8.1.4 -> 9.4.1, module updates, enable privsep
2021-12-20 14:44:58 +01:00
pennae
971adf24eb nixos/dhcpcd: set RuntimeDirectory 2021-12-20 10:53:13 +01:00